Cyber Risk in an Increasingly Digitalized Manufacturing Sector

The manufacturing sector is a leading driver of growth around the world— employing more than 150 million people and adding some $13 trillion a year to the global economy1. It’s little wonder then that any cyber attack on the sector has wide-ranging and damaging implications.

Manufacturers not only have to tackle the information technology (IT) risks that apply across many sectors, they also have to secure their operational technology (OT)— the cornerstone of most manufacturing businesses that is also becoming increasingly digitalized. The Industrial Internet of Things (IIOT), the continued migration of key systems and data to the cloud, and the incorporation of new technologies continue to open up whole new areas of cyber risk. At the same time, the OT environments of most companies still have many legacy systems. These systems may lack the same protections as their newer counterparts and therefore significantly increase a manufacturer’s overall cyber vulnerability.

Managing these risks can be particularly challenging, especially when it comes to third-party cyber risks. Many manufacturing companies in the sector are relatively small or rely on a large network of smaller or more diverse businesses within their supply chain, which may not have the same level of cyber sophistication as larger organizations. Merger and acquisition business transactions can also introduce risk. In our experience, some of the biggest cyber events in the manufacturing industry result from limited or poor integration of acquired companies into the whole.

Manufacturing organizations are generally well aware of these risks and vulnerabilities. In our latest Global Risk Management Survey, manufacturers ranked both cyber attack or data breach and business interruption — which, when it occurs, is often the result of a cyber attack — as top-five industry risks.1 These risks are no longer hypothetical; a large global steel producer was forced to temporarily suspend production at multiple locations after a cyber security incident.

Economic and political uncertainty further complicates the management of cyber risks, with inflation continuing to be a major challenge. Meanwhile, geopolitical upheaval is also having an impact on both supply chains and overall investment decisions. This may help to explain why the median percentage of the IT budget reportedly spent on security by companies in the manufacturing sector has stalled — or even fallen slightly — since 2022; companies reported that 8 percent of their IT budget was dedicated to security in 2024, compared to 8.5 percent in 2022.

Aon Clients Report: The Manufacturing Industry and Cyber Risk

Aon’s Cyber Quotient Evaluation (CyQu) data shows that overall risk scores in the sector remained fairly flat, with the average shifting from 2.5 in 2023 to 2.53 in 2024. For global manufacturing companies, scores improved marginally from 2.73 to 2.82, but there was little movement among smaller companies, which currently report an average score of 2.32. This stagnation may be particularly problematic for these small and medium-sized enterprises, especially as prominent manufacturers are increasingly imposing additional cyber maturity requirements from their supply chains. These companies reported a median spend of 7 percent of their IT budget on cyber security, which is below the industry average and may not be sufficient to secure the resilience and risk coverage needed for key risks.

Looking at risk score by cyber domain, manufacturing companies score best, on average, for end-point security, remote work and network security, all of which are important for the industry. Perhaps unsurprisingly, given the issues highlighted above, they score least well — and significantly lower than the finance and insurance industry or the healthcare industry — for business resilience and third party. In addition, digital access to production, often held by trusted suppliers for maintenance, is increasingly becoming a back door for devastating cyber attacks. These challenging areas are attracting increasing scrutiny, including from regulators and insurers, however, and we expect to see companies within the manufacturing industry place an increased focus on managing these risks in the coming years.

Cyber Domains | 2024 Industrials & Manufacturing Industry

Overall Risk Score: 2.53

In the U.S., Aon’s CyQu red flag controls data shows that our renewal clients’ red flags decreased 12 percent year over year, a substantially faster rate of improvement than the cross-industry average of 9 percent. But clearly, work remains to be done, especially in building resilience.

One of the most common red flags is a lack of recent tabletop exercises; 69 percent of middle-market companies and SMEs and 56 percent of global and enterprise clients did not complete this control during the year preceding the survey. Companies that do not perform these exercises regularly may suffer significantly greater damage in the aftermath of an attack, given that they may not be familiar with the appropriate response sequence. Holding regular tabletop exercises is comparatively straightforward, so addressing this vulnerability should be a priority.

In addition, many companies lack several other resilience-related controls, including implementing multifactor authentication for key systems and backups, and storing backups in a secondary data center. These vulnerabilities could significantly increase the amount of time it would take a company to get back up and running in the aftermath of a ransomware attack, which in turn could increase the likelihood of a ransom being paid. Companies lacking key resilience-related controls may also achieve less favorable outcomes in the insurance market.

Top 10 Critical Red Flags | 2024 Industrials & Manufacturing Industry

When it came to OT2, our renewal clients’ red flags showed minimal improvements between 2023 and 2024, although some progress was made on including ransomware in OT tabletop exercises and MFA on key OT systems. Many manufacturing companies still lack crucial controls — including segmentation of the OT environment from the IT environment and the internet, with 31 percent and 21 percent of companies, respectively, lacking these key controls. Regular OT assessments based on standards such as NIST 800.823 or IEC624334 are crucial to identify the biggest cyber risks in OT and prioritize the right measures.

These findings on common critical red flags appear to support the idea that when it comes to incident response and recovery, companies tend to focus more on securing technology than on people, policy and procedure.

Given the size and prominence of the sector, it is perhaps unsurprising that a significant portion of ransomware attacks appear to have targeted manufacturing companies.5 According to Aon Threat Intelligence data, manufacturing is the third-most-targeted industry for ransomware attacks.

Key Observations | 2024 Industrials & Manufacturing Industry

Now What? Actions for Manufacturing Organizations

• Risk management involves building resilience and transferring risk. Many manufacturers may have historically looked to cyber insurance, rather than building resilience, as their main route to managing cyber risks. However, securing a comprehensive and affordable policy without demonstrating resilience has — and will continue to — become more challenging. Identity management, backup security and regular f tabletop exercises may be key areas in need of attention. The good news for many manufacturers is that reasonably priced coverage for well-managed cyber risks is growing in breadth.
• Map and manage third-party risks. Third-party vulnerabilities have long been a key element of cyber risk for manufacturing companies, and this has only increased in recent years due to growing supply chain complexity. While insurance options for third-party risks are growing and broadening in scope, insurers will want to see that companies fully understand — and are managing — these risks.
• Stay ahead of regulations. NIS26 and the European Cyber Resilience Act7 will have far-reaching implications for some or all manufacturers. As a result, we expect to see a significant move from protecting stand-alone technology to securing connected devices. Companies will need to fully understand these and other regulatory developments to ensure that they are getting ahead of key requirements.
• Segment IT and OT. Segmentation of systems is imperative — as is end-of-life planning for legacy systems. Insurers require clear separation between the IT and OT environments to help minimize the risk of a threat actor moving across the network. Penetration testing, in which a company simulates a cyberattack to identify system vulnerabilities, can be very helpful in ensuring that systems are functioning correctly.
• Focus on response and recovery. As we have seen, Aon’s CyQu red flag controls data indicate that manufacturing companies still have a lot of work to do in building business resilience. Manufacturers often focus heavily on the technology piece of recovery after a significant cyber incident, but true business resilience demands much more. Companies need comprehensive incident response and recovery plans with clear lines of responsibility, and they will need to test their plan — ideally with both executive- and technical-level reviews — at least annually to ensure it is fit for purpose.